Google Cloud IAM Troubleshooting scripts intended to provide several indicators of users permissions on GCP resources.
-
inspect/query-
- Allows an end user to ask "of all the permissions this resource accepts, which ones do I have?"
- Allows a domain administrator to impersonate any user and inspect which permissions that user has on a resource.
-
-
Use IAM Policy Troubleshooter API to determine if the user has IAM access to a resource.
-
Display if IAM Conditions are applicable.
-
Backtrack the IAM Resource Hierarchy from the resource to root and display all the IAM Roles present at each node. (
TODO: display subset of permissions at each node applicable to the target resource)
-
-
-
Use IAM Policy Analyzer to help determine if a given user has access to a resource through indirect capabilities:
- Through nested or direct group memberships bound to the resource
- Through service account impersonation where the service account has direct or indirect access.
- Other mechanisms described here
-
-
-
map/The other utility provided here is basically just a forward and reverse map and graph of IAM
Roles->PermissionsandPermissions->Roles. Mostly just fun stuff
Note that users can have access to resources through various mechanisms and restrictions:
- User has direct IAM binding on the resource
- User has indirect access through
- User has access through Workload Identity Federation
- Access restricted through IAM Conditions
Each of these scripts attempts to surface aspects of these access capabilities and restricts. The intent is to use them to surface the full access scope capability for a user.
** This code is NOT supported by Google, really **
NOTE: this utility is just a way to list and test Roles/Permissions. It does not account for IAP Context-Aware access, VPC-SC or IAM Conditions